Smoothwall Blogspace

Safer Internet Day: Passwords and Protection

2012-02-07T14:25:00.005Z

Today is Safer Internet Day - an event organised by Insafe to help people, particularly young people, become and stay safe in today's interconnected society.

Instant interconnectivity can be daunting to the uninitiated. Within a few minutes, you can have Facebook and Myspace tied into lastfm, twitter, flickr, blogspot, stumbleupon, reddit and literally hundreds of other third party games, apps and sites, all of which come together to help us connect to more people, more quickly, more of the time … every connection you make increases the amount of people that can see information about you – information that could be used to target you. If you have up to date anti-virus software and a firewall it will help protect you against many software based threats, keyloggers, botnets and the like, but it can’t protect you from the malicious and hurtful people you meet on and off-line. Passwords are the key to your on-line life. One of the easiest ways to break into your computer system is to guess your password. Especially if that password is on a post-it note, stuck to the screen. With the word 'password' next to it in block capitals.

Is your Facebook password the same as your computer login? It's easier to remember that way isn't it? So now, because of that post-it, someone knows your personal email address, date of birth, where you went to school, where you work, where you live, who all your friends are, every club you've been to in the past 6 months (and on what dates), what car you drive, when you bought it and exactly what your next door neighbours cat had for breakfast. In isolation, none of this information would be particularly useful in the hands of someone with nefarious intentions, but put it all together and it wouldn't be too difficult for them to impersonate you on-line. I hope your banking password is different...

Aside from the material risks, there is also the danger of someone manipulating your social life. Abusive messages to friends, offensive posts about others and publicised subscriptions to ‘entertainment’ sites you woudn't normally touch with a barge pole can all produce a pretty uncomfortable social backlash. This applies to all age groups, but the most quoted problem area is teenagers and cyberbullying.

Cyberbullying is real, hurtful and dangerous. The faceless nature of the attacker can make it even more disturbing than a bloody nose in the playground or superglued books. How do you fight something intangible? The first step is to know what tools you have at your disposal. Every social website (twitter, lastfm, facebook, myspace et. al.) has a ‘block person’ function to stop people contacting you – and for serious incidents a ‘report this person’ process. Most have a setting to make this the default behaviour, and only those you select can get in touch. If you don't want to communicate with someone on-line, you don't have to - the tools are there and very easy to use.

I know several teachers that have have students who have experienced cyberbullying/cyberstalking incidents that have spilled over into the school environment. By this point, the victim had been terrorised for several weeks or even months beforehand. A trying time for everyone – especially the victims, but the trauma and fallout could have been averted with a few clicks had they only known how to protect themselves on-line.

Internet safety is not just about protecting your computer - it’s about knowing how and why to protect yourself. You wouldn’t walk down a dark alley on your own late at night, even if there was a sign at the entrance saying ‘Play for free now!’ Yet the same sign on the internet flashing red and yellow is often treated as a risk free invitation. A little trepidation is all that’s needed. A slight shift in your mentality from ‘why not’ to ‘why should I?’. Why should I give someone I don’t know the means to contact me any time they please? Why should let them see everything I’ve done and everywhere I’ve been? Why should I keep talking to someone if they’re making me feel uncomfortable?

Just as the internet has become an everyday thing, internet safety should be something that’s considered every day.

Have a look here for some useful information about password practice.

TalkTalk Hiccup With Porn Filtering

2011-12-06T16:53:00.001Z

TalkTalk - the UK ISP has recently had a problem with the adult content web filtering system it has implemented. The guys from PC Pro cover the story admirably - "TalkTalk's porn blocker lets explicit videos through" but focus on the failure not the implications.

They've come under a bit of unfair stick for it failing (to my untrained rather wonky eye it was hacked) but at least they've not ducked out of trying to give parents options to protect their children (unlike some other ISPs we could mention). So hats off and a big hurrah for them!

We (on the filtering and control side of the fence) often hear 'it's too hard' (no pun intended), 'we're not censors' and 'infringement of freedom of speech' noises from the big boys with the fat data pipes (again no pun intended). What they're really saying is 'with our wafer thin margins how are we going to make an honest buck from adding yet more kit and resources - you lot (us consumers) are only interested in price and speed.'

I've got a wacky idea. ISPs could show a bit of social responsibility and give parents (and others that want it) decent and easy to control filtered web access for their kids (not just porn, race hate and other societal unpleasantness). It's not that hard to do (we know how) and we (the parents that do care) will pay a small premium (that we would have spent with end-point controls anyway) and the world will become a better place. It's happening successfully elsewhere - the famously liberal Dutch have an ISP Kliksafe who have been doing it for ages.

So, ISPs please spend a fraction of your whopping fiber roll-out budgets on making the online world a better place for kids not just delivering the porn faster and in HD.

Facebook. Look, but don't touch.

2011-11-17T15:44:00.006Z

Facebook. For some, it's the little black book, calendar, photo album, arcade and mailbox, all rolled up into one crisp pale blue package. The anvil on which many, including myself, forge their social lives.

It is however not without its problems. Between the above, facebook is an effective timesink and can impact productivity in the workplace, ultimately costing companies money. Numerous reports of cyberbullying, facebook stalking and the friend who got 'facebook fired' for posting something libellous understandably put organisations and instituions on edge. The knee jerk reaction is usually to deny access altogether. This hammerblow approach has the desired effect of protecting people from themselves, but can also leave them feeling cut off and frustrated.

Facebook is not an evil of itself by any means. People are social animals, and the Social Network is indeed an intrisic part of every day life for about 800 million people around the world. A friend found his dogs within 6 hours of them going missing, through a chain of events started with a facebook post, so it can certainly be a force for good.

Unrestricted access to facebook is out of the question for many organisations, and no access at all is a blanket solution. Is there a middleground?

I've been working on a project that should offer one.

The result is a solution that allows people to look, but not touch. In short, facebook is available, but without the risk to the individual or organisation. Read-only mode if you like. Combined with Smoothwall's time slots, it offers a powerful and flexible alternative to the hammer approach of blocking it entirely.

Facebook is a technical behemoth. A vast expanse of dynamic content, realtime updates, targetted adverts, likes, shares... the list goes on. It's also tied into an astonishing array of other sites around the web, pulling content from anywhere with a 'like' or 'share' button. Disseminating this giant was a challenge, but definitely worthwhile, and is another step in providing people with the tools to control what enters and leaves their organisations. This time, a scalpel.

iPhone 4S upgrade and first impression review

2011-10-20T22:56:00.002+01:00

I love stuff that just works and usually the iPhone ticks those boxes for me. So, naturally, I ordered an iPhone 4S 64Gb the same day this was possible. This is to upgrade from my iPhone 4 32Gb. The three things that excited me the most were Siri, having plenty more storage and the improved camera. Faster is nice but I did not find my existing phone to be slow.

Today my phone arrived and I decided to try 100% wireless restore. I.e. not plug in to my computer with iTunes and only restore from the latest iCloud backup. I was amazed at how well it worked. All I had to do was switch my SIM over to the new phone and put in my wifi password and apple account details and in minutes it was ready to start being used.

The first thing I had to do after that was enter a new lock screen PIN, which it prompted me to do. Then it asked for my apple id again (not sure why it did not use what I entered earlier). Then it prompted me for some Google Apps accounts passwords so I had to set up some new application specific passwords. This re-entering of passwords I have seen before when going from a 3GS to 4. It seems the backup keys the passwords against the hardware for security. Makes sense.

To set up the application specific passwords I had to use the Google Authenticator app. Unfortunately at this point it has not finished downloading and installing all the apps. So I clicked on the app and it jumped to the front of the download queue. A moment later I ran it only to find it had not copied over the 2-factor account details, of which I have 5. Mildly annoying. I guess it’s the same reason as the passwords; security. So I had to choose SMS me the number and I was in. I will finish setting up the authentication later.

But that was about the only niggle I had. All the settings for everything has migrated, all apps, all icon positions and folders, all messages, all pictures - even my open safari tabs, my tiny tower, and my cut the rope progress! Very slick.

I tell you this cloud stuff. It’s the future man! LAN is so last millennium.

Next I wanted my music and went to the wireless iTunes sync. It said... To sync music wirelessly... plug in... and choose wifi sync. Oh well. After I had done that it started to copy them over automatically, via wi-fi. This was taking some time so I just plugged it back in again and let it copy over at USB speeds.
I wanted to play with Siri, so I turned it on and had the following conversation:

“What time is it?”

“It’s 8pm”

"Will it rain tomorrow?"

"There is no rain forecast for Southampton tomorrow."

"What time does my last appointment finish tomorrow?"

"Your last appointment tomorrow ends at 5.30pm."

“What should I buy my wife for Christmas?”

“Sorry, I don’t understand “What should I buy my wife for Christmas?”, shall I search the web?"

"Why not?"

"Why not what?"

“**** ***”

“Sorry I don’t understand “4Q””

“**** ***”

“Daniel, I don’t understand “4Q””

“Now you’re getting cheeky!”

“If you insist.”

“You’re funny!”

“Ha! I’m glad you think so.”

I am going to have so much fun with this!

I tried the camera in a fairly low-light situation and it seems still very grainy but not quite as bad as previous phones. I have yet to try it in the daylight.

So, first impressions are good.

Are Sys Admins and Network Managers Police Persons?

2011-09-28T12:02:00.000+01:00

Having spent the last eighteen months in the IT security business (I'm originally a tech marketer from the imaging industry) I'm constantly surprised at the range and responsibility of the jobs Network Managers and Sys Admins are required to undertake - especially those that work in education with all the attendant responsibilities that looking after other peoples' kids entails.

A recent post caught my attention about qualifications in e-safety for those hard-pressed information system plumbers - I don't mean that in a disparaging way either to plumbers or techs - if the information stops flowing, starts leaking, gets backed up ... do you have the skills, knowledge and stomach to unblock the u-bend? - I certainly don't.

I digress - back to the post from the BCS - their core premise is that e-Safety should be taught as a part of the national curriculum (I agree) but there hasn't been a structured way to teach it (I agree) and that the IT department usually ends up having to carry the can for a myriad e-safety problems and incidents (I agree).

To quote The BCS directly: "You wouldn’t send someone who came into a school with a knife to the design technology department, but with internet issues, people usually get directed to the IT department - and the issue is bigger than that."

The creation of a structure to teach e-safety to our kids can only be a good thing - especially if it's delivered by properly qualified teachers. The reclaiming of the teaching environment from the techs by continuous education of all teachers in IT related subjects (not just as 'users' of tech) is an important step in this process.

This also raises the issue of where responsibility (and accountability) lies in hard-pressed schools and LAs for delivering e-safety (and the attendant tech paraphernalia that it requires). In the eyes of the law it's pretty clear (teachers, employers and Governors) but in practice it all seems to be all over the place - with the IT function getting dumped on because it's 'computer or internet related'. If you read some of the threads in Dr. Brian Bandey's e-Safety Law in Education LinkedIn group they illustrate the complexity of this evolving problem.

So - going back to the title of this piece - Are Sys Admins and Network Managers Police Persons? In my personal opinion they should be exactly that - they should provide a safe infrastructure on which to base education. They shouldn't be considered as policy makers, judges or arbiters of standards just because a computer is involved in the process. These functions lay with the educators, policy makers and legally accountable members of the education community - who (again in my personal opinion) should step-up to the challenge and properly understand some of the (seemingly transparent) technology that they currently use and rely on to keep them out of the law courts.

Smoothwall at TechMesh EXPO

2011-09-01T13:33:00.001+01:00

Our friends at TechMesh are putting on a regional showcase of IT & Telecoms talent to showcase the region’s techie assets - and we'll be there! The all day event, which is being held at the Royal Armouries in Leeds on the 13th October should prove to be a worthwhile day out with some interesting speakers lined up.

To add to the fun we'll be doing our thing demonstrating our latest tech in the Interactive Zone - a sneak preview of our pitch >>>

Social Notworking - Who's coming to work to play?

How to see exactly who's doing what and when on your time and network?

The Dangers of Web 2.0

Web Filtering - Why Bother?

What web filtering really means and how doing it properly benefits your business?

How do you filter the web?

What are the key technical benefits

What are the productivity benefits

Protecting yourself, your business and staff from web borne threats

Malware vectors - it's not just email viruses

What can happen after an e-safety incident

Cost of fixing the damage

Legal implications

We think that the expo provides an insight into how the world of technology is changing - and that Yorkshire and Humber have a great deal to offer the world techwise.

In summary - the guys at TechMesh have put together a great programme of over 40+ exhibitors; a techpanel – a seasoned panel of experts; an interactive zone where visitors can watch, listen and play with the very latest in technology and a SME surgery for one to one advice from industry experts. There will also be members from all the local business groups milling around - so the networking opportunities will be fantastic.

Date: Thursday 13th October 2011
Time: 9am – 4.30pm
Venue: Royal Armouries, Armouries Drive, Leeds, LS10 1LT

Cost: FREE please visit http://techmeshexpo2011.eventbrite.com/ to register

iPad 2 vs Chrome Book

2011-08-15T21:48:00.003+01:00

I’ve had an iPad 2 for a few weeks now and I love it. I’ve had a Chrome Book for a week now and I like it. There you go, that is the conclusion of the review. But not quite. There is a lot of cross over in functionality between the two devices, such as apps, email, web, Facebook, etc, however they both lend themselves to different scenarios.

The Chrome Book has two key features missing from the iPad;

Multiple user accounts
Chrome web browser

Multiple user accounts is, IMO, vital for a shared device - not just security but also convenience. I love how the log in (almost) seamlessly integrates with Google web applications and things like Google Cloud Printing. I say “almost”, because a couple of times I have had to enter a password when I would have expected it to know I was already logged in with that Google account.

The Chrome web browser is, without doubt, the best web browser by far and allows full access to all the modern web features like Google Docs and Facebook. The Facebook app on IOS is OK but to get full functionality requires the web version. Google Docs is very very cut down on IOS Safari - so as to be too limited for anything other than the most basic note taking, unless you just want to read a document in which case it’s perfectly good. This review is being written using Google Docs on the Chrome Book.

The Chrome Book is missing a major application though; Skype. This will be a show stopper for some people. The iPad does not have a proper app, only an iPhone app but it works well enough. There is always Google Video but it’s just not got the market penetration. Google chat can also now make actual phone calls like Skype.

My father was able to log in and use the Chrome Book fairly easily but then complained when he was unable to write in French in Gmail as there is no way that he or I could see to enter letters such as e-acute. I ended up writing the email in Docs in English then translating to French then correcting the French then copy and pasting in to Gmail. My father reverted to his iPhone for further French emails.

The Chrome Book has a proper keyboard and tracker pad and a reasonable resolution screen. I also have a keyboard stand thing for my iPad. They are similar in use. I find myself wanting to touch the screen on the Chrome Book instead of use the pad as it would be quicker.

The Chome Book boots in about 5 seconds and it almost takes me longer to type my password than it takes to go from login screen to being 100% ready to go. And I don’t mean the Windows-pretend-you-have-the-desktop-but-actually-come-back-later-after-a-coffee. So both iPad and Chrome Book are ready to use instantly without being concerned about booting.

I’ve just been on holiday for a week and mostly used the iPad and Chrome Book rather than a PC, but today I was back at work and within minutes of using my Windows 7 desktop PC I was frustrated with “Window is not responding” and other crap like the AV telling me it needs to update then when I shut down Windows it had 13 updates to install. Bah! I tell you - things like the iPad and Chrome Book are the future. People won’t put up with this for much longer. That said, I won’t be giving up my Windows PCs for a long time until good games like Portal 2 and WoW work on these devices.

The Chrome Book has multiple external storage options and expansions but the iPad has none. I’ve not found I needed this though.

The Chrome Book runs a little warm for my liking. Mine is a Samsung Chromebook Series 5 and according to top has 4 cores. After a few mins a small fan starts up and pumps out hot air on the left. That would be nice in winter but in the summer it made me put it on a table not my lap. The iPad only gets warm from my hot sweaty hands.

In terms of speed, the iPad seems just a little bit faster. Both can play HD youtube no problem or anything I throw at them. But I think the iPad cheats by only doing one thing at a time where as on the Chrome Book, all the tabs are running at the same time.

Both have similar and very long battery life. Hours and hours of usage.

I was able to get the VPN on the iPad to work straight away with my Smoothwall firewall but the Chrome Book is currently missing this functionality although this is due out soon.

IOS does not support much in the way of automatic proxy settings and is quite picky with the proxy.pac URL in that it has to be a fully qualified address. So for visiting iPad users you will need to use transparent web filtering. I’ve not tested the Chrome Book yet.

The Chrome Book has no integration with my Apple TV (as you'd expect) so when I find something interesting or want to view it on the TV, I can't.

My iPad is configured for remote wipe via Google Apps and MobileMe. I've not found a remote wipe option for the Chrome Book yet, but I'm also not storing anything on it.

If I had to keep just one device - it would be the iPad. It does nearly everything and I hope one day it has a better browser. I am keeping both though!

Chrome Book is ideal to give to one’s parents who keep having to reinstall Windows because they get a virus or don’t update. Fully automatic updating in the background. Love it. Chrome Book is more secure and appropriate for a work place. iPad will keep being useful in a car when travelling and where there is no wi-fi.

iPad is for fun and a little work. Chrome Book is for work and a little fun.

Reverse Image Search

2011-07-27T17:33:00.022+01:00

Google have recently launched a new set of reverse image search functionality for their image search service. For the uninitiated, “reverse” image search allows you to use an image as the jumping off point for your search, instead of boring textual keywords.

And why exactly would we want to do this? I can think of a few reasons:

In the simplest case this can be a more interesting, or intuitive way to image search.
Perhaps you find a 5 year old JPG in your home area and you just can’t remember where it came from. Maybe Google remembers?
You need to find a HD version of your desktop wallpaper for that shiny new monitor. No problem...
Maybe you’re a rights-holder trying to track your own images. You wouldn’t be the first.
Being scammed by online dater fakers? Reverse search that profile picture - oh yes, that *is* Pierce Brosnan.

Now this isn’t an entirely new idea, an early player in the game was TinEye. TinEye are still operating and hopefully they’ll stay around some more, giving us double the image searching fun.

Google’s new functionality comes in two pieces.
At the core is ‘Search by Image’ within Google Images. Using the search query box, you can now choose to search with an image of your choosing. This can be a link to an image available on the web, or you can upload one from your local machine. Browser permitting you can even drag and drop a file, which is cute.

As we can see the result set allows us to discover locations on the web where the desired image can be found. We can also specify a different size for the image and locate those too.
Google’s algorithm will make a best guess at the topic of your search and this “trail” can be followed in the normal way - using the suggestion as a search term.

Further down the page we find the second part of the functionality, ‘Visually similar images’. This is where it gets interesting. We can now search around other images found to be similar to our input image. Effectively we can “bootstrap” the image search process with an image of our choosing. This is a great way to find something very particular, or something hard to spell, or indeed... pornography.

Clearly this can be used to find content without stating your intention in the form of keywords. For Corporate or Education networks this might be an AUP circumvention risk. Hence, filters must move with the times. Here at Smoothwall we’ve added a new category for Reverse Image Search services, as it may not be appropriate for all users. We’ve also worked to ensure Force SafeSearch, Search term filtering and Deep URL Analysis are compatible with Google’s latest developments.
Screenshot 2 was generated behind Smoothwall Guardian, demonstrating those features. Just for fun, here’s a screenshot using A. N. Other web filter...

Note: Censored to be (semi) safe-for-work.

Security? Turns Out It's Not That Difficult!

2011-07-25T16:33:00.003+01:00

This afternoon, I was sent a link by a colleague to some useful information. The Australian government - specifically the Department of Defence "Defence Signals Directorate" (cool department name winner, 2010-2011 season) - have tastefully tabulated a bunch of targeted phishing mitigation techniques, along with their effectiveness, and various metrics indicating how hard these techniques are to apply. Check out the table here.

So far, so good - the interesting thing, however, is how some of the simplest advice is the most effective. For example, keeping your regular users from having administrative privs is rated as an "excellent" defence - and these days, is relatively easily done, as most software is well behaved with regard to needing to run as admin. Where desktop software vendors could make our lives easier though is keeping up-to-date on things like Java, Acrobat, Flash and company - Microsoft Update does a decent job... but something integrated and simple for other software might help use institute another "excellent" defence more easily.

I would imagine that this advice applies as well to other kinds of attack - this document being fairly specific to targetted phisning attacks - as they use similar vectors. Probably having up-to-date antivirus would make up a couple of notches and email whitelisting might not get an "excellent" if we were looking at a more general case. Still, it's worth a read, just to get the little grey cells working in a security type way for a few moments!

Account security when visiting other peoples’ computers and the additional danger of federated authentication - use Incognito!

2011-07-03T17:08:00.001+01:00

You know when you need to access your email or a document or look up information on a CRM but you are not on your computer? Perhaps it’s a colleague's or a customer's PC. Have you ever considered that you may be leaving passwords or cookies which would allow them access to your personal or company secrets on that computer? Often closing the web browser’s window or clicking ‘Do not remember password’ is not enough - there could easily be authentication cookies left around. You might, accidentally, allow the browser to remember the password. In addition, federated authentication makes this even easier to leave yourself logged in.

I’d like to make a bold statement;

The level of knowledge a person is required to have, right now, to be secure using modern technology such as web applications, is higher than even normal IT-literate users currently have.

I’ll give you an example. If you use federated authentication, then you may end up logged in to both what you expected to be logged in to and the authentication provider. E.g.. log in to Clarizen.net (just an example) by clicking the G button and put in your Google credentials. Now log out of Clarizen. You would think you were logged out - not so. Now go to mail.google.com. See that you are also logged in to Google. Did you realise that before now? I bet you did not.

The mistake that Clarizen are making is that they failed to realise that users expect single-sign-on and but also single-sign-off. The mistake users are making is not realising that single-sign-on does not mean single-sign-off.

The solution for Clarizen and others is to make their log out link redirect to the Google (or other) log out URL. I have recently used this technique with great success with an integration project. Naturally you will want to warn the user that it will do a full log out.

The solution for users, including me, is to always always always use an Incognito Window. Never log on to another user’s computer without using one. What this does is ensure that nothing gets saved on the computer (except downloads) - even if you accidentally allow it to remember passwords or save authorisation on the computer. Once you close the incognito window, all traces that you were there, cookies, passwords, user names, history, etc, are gone.

Incognito also allows you to browse knowing that there will be no history so that if you are looking for something online that you would not like your partner to see, your secret is safe. (I am thinking presents...).

Incognito is available in:

Google Chrome - Tool menu > New incognito window
FireFox 4 - Tools > Start Private Browsing (Ctrl+Shift+P)
Internet Explorer 9 - Cog menu > Safety > InPrivate Browsing
Safari - Edit menu > Private Browsing
Opera - Menu > Private Tab / Private Window

Remember though, it is only going to ensure nothing is left on the computer. If the computer is infected with a key logger and you’re not using two factor authentication, then your account is screwed anyway. Also, if the network admin is using a good web filter, such as Smoothwall Network Guardian, then he will know exactly where you’ve been - even if you tried to hide it.

More info can be found on this Wikipedia article.

Why Am I Not Afraid Any More?

2011-06-11T19:28:00.004+01:00

So i've just finished watching the F1 qualifying on Saturday afternoon, and my thoughts turn to work (hey, why not?). I've seen a few stories in the news these last 7 days, and by rights we should probably be gathering up tins of fray bentos, packing the cat, and heading for the hills.

NHS could be hacked easily?
Sony being hacked for sport and Nintendo can keep your data safe (maybe?)
Facebook can track your face around the web (and would rather not ask first)
RSA tokens, that bastion of security.. compromised
FBI partner, lightly owned

Instead I'm wondering if we'll see rain in Montreal tomorrow and Mclaren can put in a decent race pace. What's wrong with me? Why am I not afraid any more?

One reason might be that I've become jaded, inured to breathless security scare stories by... well, people like me - other infosec professionals. I hope we haven't cried wolf, though hunting moose in packs does sound like a lark. Millenium bug syndrome - over hyped by folks that stand to benefit!

Perhaps another reason could be that we've come to expect the odd breach, just like we've come to expect we'll probably catch the dreaded summer cold at some point (another of my excuses for snoozing through the week and not blogging any of these stories, i've been under the weather!), we come to expect security breaches which kill off a few weak members of society, but most people shrug it off with little ill effect. We're now used to cleaning up after the bad guys? Familiarity breeds contempt.. and maybe a hint of complacency?

Of course, there's another option - I haven't really felt the repercussions of any of these issues this week. I don't use an RSA token, own no consoles(!), there's relatively few pictures of me acting the goat on facebook, and my medical history doesn't appear to have been indexed by google (yet, at least). Could it be I just need to have a security breach drop something on my toes?

Anyway, I promise to try and pay a little more attention to the bad stuff going on in our digital domain, but if I fail to get excited by the latest round of apocalyptic damp squibs, cut me some slack will ya? ;)

6 Easy Ways To Look Like A Security Expert

2011-05-31T12:26:00.008+01:00

Few people have time to become an Internet Security expert, but with this post i'm going to introduce you to some websites, tools and other resources that can give you a bit of an edge, and, importantly, look impressive to the uninitiated. As a network manager, you're supposed to know everything about anything that has a cable attached - so finding time to be an all-areas expert is not going to fly. Luckily we can alter our users' perception and be seen as a security champ. We all know you're probably doing the right stuff in the background, all the unexciting bits, so let's see if we can't find something with a bit of sparkle.

A user asks "is this a virus" - now you can not only be more confident, but you have got a nice looking report as well, thanks to virustotal.
Looking like a hacker from the movies is easier than you think - network swiss-army-bazooka nmap (movie references here) has a nice graphical front-end, is easy to use and actually really handy, go get zenmap. Bump the shiny up another notch, and Overlook Fing is like a miniature nmap on android or iphone.
Keeping up with the latest news and views in security is tough, but if there's one guy who's opinion it is always worth reading, it's Bruce Schneier. Luckily, he publishes a monthly newsletter, Cryptogram. Sign up here.
We can't all keep a virtual machine knocking around to burn testing dubious looking links. Luckily, we can get a fair idea if a link is going to riddle us with zero-day hell, and a nice report to boot from the folks at wepawet.
Many people thought I should have included this one at number one - a great looking packet analyzer with a cool name, Wireshark (or Ethereal as it was formerly known) can be used to find out a lot about your network, and is great for seeing what's really going on. Pulling unencrypted passwords and snippets of plaintext conversation off the wire - always a good demo. Remember you can use tcpdump (on your Smoothwall or other Linux-based firewall!) to pick up packets to look at later as well. One that takes a bit of learning, but well worth it. Get Wireshark here.
Most of us are Windows users, but Linux has a lot to offer. Even if you don't run Linux all the time, there are a couple of live cds which will run without modifying your PC. For the security minded, there's the Trinity Rescue Kit, ever helpful for recovering "lost" passwords, and for the slightly more black-hatty among us, backtrack is the place to be. An unfamiliar and complicated looking interface will do your status with your users no end of benefit. Download and burn trk or backtrack.

I've limited my list to free tools and resources which would generally be accessible to a broad range of network managers and IT techs, but I might have missed your favourite - get in touch, and leave me a comment!

Google and Mozilla giving up on URLs?

2011-05-31T09:55:00.005+01:00

In the past few weeks, there have been indications that two of the Internet's biggest browsers are reconsidering the central position of the URL in web browsing. Firefox and Chrome's designers are looking at ways to downsize, repurpose or remove the traditional "location bar" where traditionalists have been used to typing web addresses for years.

This comes as no great shock - even in the early days of the web, efforts were made by the likes of AOL to use keywords to navigate to websites. AOL failed, ultimately, but the concept succeeded. In today's web, entering a known URL is unusual for most people - we trust our search engines to bring back the content we require from our search terms, and we use our bookmarks to keep track of things we like - never needing to see the URL itself. Advertisers are starting to make more use of this too - it is increasingly difficult to get short, memorable domain names, and people make typos. If you can be sure your site ranks well for the name of your company, you don't need to worry about people mis-spelling your domain (and when your name is a bit tough to pronounce outside of the English speaking world.. or even in it... yeah, but we have always been called Smoothwall, so we're sticking to it, thanks!).

With the web losing some of the location-based addressing that ties content to domains and urls, and more web applications taking content from a variety of sources, this move would seem to send a warning to some popular URL-(ab)users - who needs link shorteners in a world without typing links? If everything is sent with embedded links, or transferred to meatspace as keywords rather than URL these services may see a decline. Interestingly for Smoothwall, and our users, this could accelerate the demise of the URL filter. When we no longer need sites to identify themselves as positively in URL, we can be more ambiguous - for example, bbc may no longer feel the need to have all sport under /sport - they aren't doing that to benefit a URL filter, and if there's diminishing benefit for the consumer, need they maintain these syntactic niceties?

Interesting times ahead folks.

Five Tips to Assess Your School’s Network Security this Spring

2011-05-26T15:47:00.002+01:00

Spring is a good time to take stock of what’s working and what’s not. Students are busy taking final exams, and for School IT administrators, it might be time to test your network security solution and make sure it’s delivering what you need.

Here are five tips to make sure your network security and filtering solution is doing its job to make yours easier:

Appearances can be deceiving: Don’t just look at the URL, but look deeper into a page and content-scan the words and phrases. This insures that all pages are categorized, and a page can’t hide itself as something it’s not. Make sure your filter can determine context, content and construction to block out those tricky bad guys.

Look for “Just Right” blocking: IT administrators can be worn to a frenzy keeping up with the educators’ requests to unblock websites they need, while keeping a strong block in place. A smart filtering solution avoids over-or under-blocking and provides just the right level of blocking.

Go for the Interception: Students have become increasingly savvy in finding their way around blocked websites using proxy anonomizers. Look for solutions that can intercept HTTPS traffic to catch HTTP proxies as well as HTTPS proxies. With the right solution, users trying to get around blocked sites will be intercepted- achieving your goal for a safe network.

Be the all-seeing eye: IT administrators don’t have time to constantly scan the network. They need reporting functions that help make their life easier, not more difficult. During certain hours such as lunch or between classes, it may be good to keep a closer eye on network activity. Real-time content scanning provides valuable visibility, allowing IT administrators to nip potential problems in the bud.

Network Security never sleeps: It’s not just the school grounds that must be protected. Users who rely on laptops, netbooks or even Mac portables must also be protected while away from the school's network. The full policy and profile safeguards that apply while those laptops are connected on campus must apply when taken home or on field trips, and while those units are connected to the Internet at the local airport or other wi-fi hotspots. Upon return to the school's network, all reporting and tracking of web activities should be aggregated to the reports the school's administrators and teachers receive on student (or staff) activities.

Does your network security deliver these points? If not, spring is a good time to think about making a change. Once you have a network security solution in place that does its job, you can finally escape the glare of your computer screen and enjoy all that warm spring sunshine.

Thanks for reading, commenting or tweeting.

Hotels’ Wake-up Call: Illegal Downloads

2011-05-19T01:11:00.003+01:00

What’s as bad as bedbugs for hotels today? Like bedbugs, this threat is invisible when guests check in and the consequences may not be evident until long after the guest leaves. It’s extremely costly, with loss of revenue and legal costs. (Yes, it’s so nasty that lawyers are involved.) It’s a growing trend: video downloads on your network.

It started off innocently enough. Once upon a time, hotels had a nice revenue stream from pay-per-view films. Travelers who wanted to relax in their room had a few options: the regular TV programming, the book they may have brought, or splurge for a pay-per-view movie.

Then the internet revolution came about. Hotels began offering internet access in response to demands from business travelers and others who wanted to keep up with emails and their favorite websites. Then the availability of high quality video downloads and new devices with higher resolution began to change the game. Instead of paying for pay-per-view movies, guests could download videos for free on their own notebooks or iPads.

What does this mean for hotels? Colliers PFK Hospitality Research reports that hotel revenue from pay-per-view films has shrunk by 39%. Their study shows that in 2000, each hotel room would collect approximately $288 in pay-per-view revenue annually. Today, the average hotel room collects only $175 annually. The likely cause of this decline in revenue is the many alternatives found on the Internet for videos, gaming and other on-line entertainment.

Even more ruinous, many of these downloads are illegal downloads of copyright protected movies. Hollywood is becoming aggressive in pursuing perpetrators. Film producers are hiring law firms such as one known as The U.S. Copyright Group to issue subpoenas to internet service providers and get the names of individuals who downloaded these films. For hotels, that ISP address is under their name, and is their responsibility. Fines range from $1,500 to $2,900 or more per incident, or defendants could face even larger fines in court. While this type of tactic may not bear up under the scrutiny of higher jurisdictions or legal reviews, the risks remain the same, whether for an individual or a hotel management group: downloading of illegally-obtained copyrighted materials may be bad for your health and your wealth, if the lawyers have their way with you. (To see what one company is doing to offer hoteliers a sound solution go to: www.hotelpeertopeer.com)

Naturally, for hoteliers there’s the ongoing challenge of finding a way to provide the guest with good service, ample access to the Internet and still protect the institution from legal problems. Hotel IT administrators: this is your wake-up call. Make sure you are blocking illegal downloads on your network. Secure your network and sleep well at night: just don’t let the bed bugs bite.(that’s another worry for hoteliers, but not the topic of this post, by the way).

Thanks for reading, commenting and/or tweeting (www.Twitter.com/Smoothwall).

Budget-Cut Blues and Network Security Necessities

2011-05-11T23:46:00.000+01:00

What’s a school to do? Education budgets, especially in the United States, are being cut while network security threats continue to grow. School administrators and IT managers must meet growing compliance requirements, as well as face down the threats posed by students who have grown up on-line and know their way around network filters and blocks. Teachers, staff and students all have varying needs for access to the Internet and Web resources, but must also be monitored, provided secure connections and prevented from time-wasting or inappropriate sites. What’s a school to do?

For many schools, the first step is assessing their current network security configurations. Some points to consider when assessing the current network security system:

· Does the system achieve full compliance- such as with CIPA and other Federal and State requirements in the U.S. or BECTA in the U.K.?

· What reporting systems are in place? Efficient reporting functions can help save time and resources, reducing network security costs. How long does it take to run reports?

· Is it easy to monitor live logs as well as what’s been happening over the last 24 hours?

· Can you identify websites that might be potential time-wasters for staff and students, to save resources for those sites that promote instruction in the classroom?

Network security, when done right, should be a cost-saver. Likewise, when done right, network security is a productivity-booster. And, without a doubt, the risks and costs of an unsecured network are far greater than the expense of protection. So, while Benjamin Franklin (U.S. patriot, publisher, inventor, statesman and all-around intellectual) was famous for proving that lightning can strike a kite and shed light on the nature of electricity, he also famously said, “An ounce of prevention is worth a pound of cure.”

Which does your school prefer? To be struck by lightning or to be protected from the viruses, worms, spies and dangers that lurk around the edge of your network? Network security is worth every penny, every pound and every dollar you invest in it.

Thanks for reading. Care to comment? Please do so, or tweet us at: www.Twitter.com/Smoothwall

Mother Knows Best- Even with Network Security

2011-05-05T14:26:00.005+01:00

You didn’t realize it at the time, but your mother taught you everything you need to know about network security--or at least the important highlights. After all, mom’s goal is the same as ours as network security administrators: to keep us all safe.

Does any of this advice sound familiar?

1. Be suspicious, trust nobody. That goes for users on your network, as well as messages you receive from friends. Make sure users aren't allowed to download anything without permission. Be wary of suspicious links or invitations to join new social networks. These could be phishing attacks in disguise.

2. Lock the door. You wouldn’t let strangers into your house, so why would you let them onto your network?

3. Do your homework. Threats change daily. Keep up on newest threats so you can make sure your network is prepared for them.

4. Keep things clean. What she meant (in addition to clean socks and washing your hands regularly) was to make sure your PC, network protection and malware detection software is always up to date. Updated software and network protection will help keep the bad guys out.

5. Always be aware. Look before you cross the street, even if you don’t hear a car, and don’t assume some websites are safer than others. Sometimes the most “trusted” sites can be more dangerous. Educate other users on your network to inform them of the risks.

So let’s hear it for Mom. The network security savvy we have today originates in her good advice. It’s one more reason to thank her for all that she’s done for us. Oh, by the way, Happy Mothers’ Day!

We appreciate you reading our posts. Feel free to comment or post a tweet: www.Twitter.com/Smoothwall

Sir Becta and Mr. Cipa - Comrades-in-Arms

2011-04-20T14:30:00.004+01:00

The quote is attributed to George Bernard Shaw: “England and America are two countries separated by the same language.” (1)

Who knows? Perhaps it’s true. Nonetheless, there are many things that bind us together, despite Mr. Shaw’s rumination.

Here, for example, are two distinguished purveyors of Network Security, or if you will, Web Security. They are, Sir Becta and Mr. Cipa, similar in outlook, and contemporaneous in age. Both are focused on providing safety for school children and school administrators from the perils present on the Internet. Each is a creature of the legislative system of his respective country. In this case, Sir Becta, http://www.smoothwall.net/c/article/306/becta/ is British, borne of the House of Commons in 1998 (though recently destined to be "downsized" by budget cuts), while Mr. Cipa http://www.smoothwall.net/c/article/63/cipa/ is the offspring of the U.S. Congress, Senate and White House, circa 2000, and still very much his lively self, the law of the land (USA, that is).

Whether you ascribe to Mr. Shaw’s opinion or not about our two countries being separated by the English language, web security on both sides of the pond, especially for minors, is a vital part of society’s response to the threats and dangers lurking on the web. Responsible teachers, schools, administrators, boards of education, and the public (citizens like you and me) all form part of civil society’s efforts to protect children from pornography, pedophiles, cyber-bullying and other threats that can invade and threaten kids via an internet connection, a chat room, email or other means.

This is in essence what one British-born, American-bred company, Smoothwall, does for a living. We are both British and American, like Sir Becta and Mr. Cipa. And, we are committed in both countries and everywhere else we operate to providing our web filtering and network security solutions for the safety of minors, and the safety of everyone else, for that matter. So, rather than seeing the two countries as divided by a common language, Smoothwall sees the world and the Internet protected by a common set of network security solutions. Doesn’t it make sense to minimize our differences, and maximize our commonalities, for the benefit of our kids, and the protection of society?

Thanks for reading, and please feel free to comment. Care to converse or "tweet" with us? Please go to: http://www.Twitter.com/Smoothwall .

(1) source: http://www.brainyquote.com/quotes/authors/g/george_bernard_shaw_3.html)

Infosec this week. Best post about security?

2011-04-16T20:37:00.005+01:00

Hey there readers. (Or at least I hope there's more than one of you). Infosec this week - if you've not been it's a lot of fun (except for the standing up for ages bit). Be good to see a few old friends there (hey Shep), and check out whats new and groovy in the world of "Info" "Security" (don't hold your breath).

So, anyway, what with the week it is - maybe I thought i'd stick up a post about security... these crazy ideas, eh? Bit of an old topic though - risk. Specifically people mis-assessing it - including some folks who should know better.

First up - there's been a lovely message doing the rounds on Facebook. This message exhorts users to sidle on up to the url bar, and bob an "s" on their "http". Harmless advice, nay even reasonable advice - but you're really not at a great deal of risk, given that login is always encrypted, so the worst you're really looking at is a session hijack on untrusted media. So folks will bandy about useful but largely irrelevant advice - you never see a "viral" encouraging good password sense, or not leaving yourself logged in on a public PC.. and this is probably because the HTTPS advice is easy to execute - hey look, I can see there's no "s", but I can put one there and feel safe. Nice. Security, it's like a switch, you can turn it on and go back to sleep. Hmm I didn't intend this post to be about Infosec, but i'm getting a faint echo of some of the marketing guff I heard there last year...

Secondly, and these boys and girls belong firmly in the "should know better" camp... I recently upgraded my phone (finally went smartphone, the Luddite is dead). The network, Everything Everywhere (always block.. guardian3 users know the score...) allow me to set a lovely long password. It has numbers and everything. Now, don't ask why, but I ended up calling these guys a few times over the last week.. and always giving the same two characters in my password. My secure-sense (yeah right) finally surfaced, and I questioned my "customer services advisor" and yeah, sorry coincidence hunters, they always ask the first two characters. There's probably a few statistics you can use to tilt the balance in your favour (not least overhearing any call!) - my first guess, going vowel-consonant only bought me 3%, I bet you, dear reader can whip that with a bit of grep and /usr/share/dict/words! On the other hand, these guys won't post my new trombone to anything but my home address. Which I told them. After giving my "2 character 10 character" password. I wonder if this new "home address only" policy is fixing the symptom, not the cause?

Lastly i'd like to put in a good word for CEOP, who got a bit of gyp in the press for not making their child abuse reporting form HTTPS.. what's more important, being able to report such sites, or mitigating the minuscule risk of an interested party snooping?

Voices from America

2011-04-13T17:39:00.005+01:00

Greetings from the United States of America!

As a long-time software executive, working throughout the world to sell, market and establish high-tech solutions in various markets, it's a pleasure to be a part of the Smoothwall team. My role is to run the U.S. and other territories in the Americas, and to expand Smoothwall's success. This is an ongoing and expanding project, and as part of our outreach, we're contributing "posts" to this blog.

For the most part, you'll hear about ideas, activities and interesting elements that we comment on from the USA or other parts of our extended territory. This may be something specific to the industry, or more detailed, with regard to how a particular client deals with network security challenges, or applies creativity to network situations.

With luck, you'll read and enjoy these voices from America and they will be relevant in today's globalized world. You'll clearly be reading the U.S. English version (z's insteads of s's), with U.S.-centric vocabulary and phrases. The bottom line, all the same, will be added-value for your appreciation of all things in the network security industry, specifically with regard to how Smoothwall, Inc. (and the mother ship, Smoothwall, Ltd.) approach our charter of protecting networks, people and productivity.

As we say in the States: "British-born, American-bred, World-class Web Filtering and Security".

Thanks for reading. Care to comment? Please do so, or follow us and talk back via Twitter:

www.Twitter.com/Smoothwall

Poor customer service - in this day and age!

2011-04-04T15:53:00.002+01:00

In this day and age of bloggs and web-savvy users, especially those buying technical services - who would expect a DNS company to have poor customer service? Customer service is pretty much the most important part of a company - it is so important and influential that it can even make up for or mask a lesser product. By customer service I don't just mean the support department, but also accounts, pre-sales, sales, website - anything which services a customer's needs.

I needed a new DNS provider as my old one no longer replied to support tickets and seemed to be disappearing. I was recommended Namesco by someone; "I use them and they are OK." They did not appear to support IPv6 so I contacted their support and they said that although it's not on the control panel, I can contact them and they will add the glue records for me. So I moved my 24 domains.

But then I found out that they could not support IPv6 DNS glue after making a ticket to ask for it to be added. So I put up with having only IPv4. I've now got to the point I no longer want to run my own DNS servers (SaaS FTW) so I've been looking around and gandi.net seem to offer a good promise of customer service, full IPv6 support and free DNS serving. They also responded to my first ticket in minutes.

Back to the irritating Namesco control panel and I find that to transfer each domain I have to pay £10+VAT. I've never had to do this before when I transferred the last three times (I've had my own domains for 13 years). But not only do I have to pay £240+VAT, I have to repeat the process and go through a checkout TWENTY FOUR TIMES. Fail!

Don't they know a happy customer tells maybe three people. But an unhappy customer tells ten!

If the customer service staff at Smoothwall acted like this to our customers, I would have words with them, or their manager - and then make sure they got the training needed not to make the mistake again.

Now I am off to repeat an annoying loop 23 more times, get RSI and probably have VISA call me up and say there's suspicious activity on my card...

ICANN approve XXX, Domain Registrar In Line for $$$

2011-03-21T15:21:00.004Z

ICANN have finally approved the controversial .xxx top level domain. Apparently all the porn on the Web is suddenly going to up sticks and move to this new domain. Whilst our jolly pornographers get to grips with that, lets take a moment to leave fantasy island and consider the real world implications of this move.

Who is the new TLD going to help? Will it help those of us trying to keep impressionable youngsters away from pornographic material? Not really. At Smoothwall we have been blocking this non-existent domain pretty much since we started making web content filters. It is not hard to do, but it certainly does not get you much traction. Most porn sites will keep their existing domains, and even if legislation eventually forces the US and EU sites to consolidate under .xxx, there's still the less salubrious porn sites whose owners are less than concerned about that sort of legal threat. Will it help the porn industry? Unlikely. It might lead to the odd fracas over a contested domain name, where two skin merchants try to muscle in on the same .xxx domain, having come from, say a .com and a .tv. No, the only people it will help are those selling domains, and the really unimaginative self-abusers who have a hard time finding porn (if this is you, please write in at the usual address).

Entertainingly, whilst we've been fannying around trying to find a new home for our hardcore, looking at pics of naked people has finally been relegated to second spot in the "internet usage highscore table". Yes, you guessed it, social networking, that digital white noise (that this blog almost certainly counts as), has overtaken porn in the UK web traffic stakes. I'm not sure what sort of a message this sends about our society as a whole. Idle chatter probably appeals to a wider demographic than the soon-to-be denizens of .xxx and is less likely to be blocked at web filter level, despite contributing to huge levels of timewasting in offices the world over. Maybe we should lobby for a "social notworking" tld - .poke? .trivial? .inane? .waste?

It's not technology, nor is it cricket - Homeserve nightmare

2011-03-11T21:10:00.000Z

For the past two weeks we have been suffering two leaks caused by a Homeserve plumber. He fixed the original problem of a problematic flush, charged us £90 and gave us two free leaks.

A bit of history. We used to have our house serviced by Homeserve. They used to pop around once a year and spend a few mins doing the minimum work. The thing that really made us stop using them was one year the cowboy plumber checked a couple of things and then asked me to sign a form to say he had checked all the radiators. He had not even been upstairs!!! I asked him how he could have checked them without going to see them. He grunted and then checked them. We cancelled after that.

A few weeks ago our main bathroom toilet stopped flushing easily so my wife, without asking my advice, booked a plumber from Reactfast. He turned up in a Homeserve van. Oh dear I thought. I also thought "that guy looks familiar - is he the one who did a slack job of the radiators?"

He did a fairly quick job and showed me the toilet flushing easily and that he had replaced the cistern. Great.

Two days later, just before going to work, I noticed water coming out of the ceiling of the garage. This was not there when he was there as I would have noticed as I was doing a lot of work in the garage the same day he was breaking the toilet.

So we called Reactfast aka Homeserve again. A second different plumber turned up. He showed me how the first plumber had left the overflow pipe leaking and had fitted the float badly so it would get stuck. He ‘fixed’ it and left. He said the dripping would take a few days to stop.

Several days later the dripping was still going just as strong and the bathroom floor was now squelching with water coming between the tiles. So we called Reactfast aka Homeserve again. A third different plumber turned up. He showed me how the second plumber had left the overflow pipe leaking and removed it. He showed me that the first and second plumber should have removed the over flow pipe as the new cistern has an overflow built in. He said it was zero percent chance that it was not caused by the first plumber.

Five days later the dripping was still going albeit about half as strong. So we called Reactfast aka Homeserve again. A fourth different plumber turned up. He showed me how the third plumber had not spotted a leak under the tank behind the toilet. He replaced a rubber seal. Minutes later the dripping was almost gone.

For want of a working flush I have wasted time and effort and ended up with a ruined bathroom floor. Now I will have to go through all the time and effort getting my insurance company to argue with Homeserve’s liability insurance as to who’s fault it is. They already refused to send out a plumber “because it’s not an emergency”. Then when that is all done I will have to arrange people to come in and re-grout and fix any other damage which turns up.

Assuming of course this is the end of it.

I recommend never ever ever using Homeserve (or Reactfast). They clearly employ coyboy jobsworth useless plumbers.

NOT Finding and accessing a Google Docs collection shared with your group

2011-02-25T22:51:00.003Z

Today Google Docs annoyed me. A lot. Google have put a nice new UI on Docs and it is generally much better. However they have still not fixed an important usability issue - if someone shares a collection (previously known as folders which was a misleading name) with a group and you are in that group you would expect to be able to search for it and actually find it. Not quite...

Yesterday someone I know was struggling to put a collection shared with their group in their My collections. They were used to the old convoluted way. But it's simpler now. Or so I thought. I had not realised one extra bit of information. If one shares a collection with a group, no one in the group can see the collection until they are given a URL to the collection. So they can't see the document collection until they see the document collection. Chicken and egg.

The work around is either click on the link in the original sharing email just once. Or have someone IM, email or list on an internal wiki, the URL to the collection. Just click on it then close it. Now the collection will appear when you search for it and you can then follow the simple steps in my video.

Rubbish.

I am told a solution is being worked on. While they are at it I would also like logins to automatically strip the domain when users insist on typing their full email address when only the name part is needed. And the ability to not allow normal users to share stuff as they just mess it up. And the ability to disable "Off the record" in Google Talk. Basically I would like some polish on the Google Apps product. Stop working on fun new clever stuff and do the last 10% of what you already wrote.

Orange Money Launches NFC Credit Card, Still Years Behind Africa

2011-02-18T10:33:00.005Z

According to el reg, Orange is launching a new service, under the name "Orange Cash". I must admit to being a bit disappointed when I read the article though - it turns out this is just a pre-paid card (the article calls it a credit card, but that's stretching a definition since it is pre-paid!) with NFC (near field communications). While this is fun tech - Pete, a sysadmin here at Smoothwall Leeds described his first NFC shopping experience as "the simplest shopping I ever did" - it is hardly revolutionary. Indeed many people will already have NFC cards if they've recently been issued a new debit card.
So, what was I expecting? Well, being a regular visitor to Kenya, I noticed in december there were adverts all over Nairobi for Orange's "iko pesa" ("there's money" in kiswahili) service - a rival to local operation "mpesa" by Safaricom. Mpesa and iko both allow users to easily transfer money using mobile phones. I can see why this might be more useful to Kenyans than it would be in the UK - there's relatively little in the way of "infrastructure", especially outside of Nairobi, and many people have little ready access to cash, so this is a great way to pay for things, or send some cash home. On the other hand, i'd really find this useful in the UK - just for paying small sums to friends and family. Yes, I know I can access internet banking, but I might not have their details (how may of your colleagues do you have bank details for?) - so if I find myself owing Carol a fiver for a box of noodles at lunchtime, I either mess about with internet banking, or take a stroll to the ATM. If I already have her phone number, I could simply send her mpesa... much better, no?
Both these technologies raise interesting questions for security. NFC type devices are now used for opening car doors and allowing the engine to be started. We recently saw articles (see yahoo)suggesting that thieves might "range extend" proximity keyfobs to break into cars. It would be interesting to know if this could be done to NFC cards, but it seems a lot of work for transactions which are limited to a relatively small sum. I've not yet heard of any interesting mpesa fraud - although allegedly you can pay kenyan police bribes with it!

ISPs: Your Customers Are Not Idiots

2011-02-05T12:55:00.003Z

Well well. That's a first. Today I picked up a Huawei ADSL 2+ modem/router from my local post office, where it had been imprisoned for the crime of being (only marginally) too large to fit through my standard sized postbox. After walking home in the Yorkshire drizzle, I decided to have a poke around in the box, despite the fact that my new Internet service doesn't kick in til Tuesday.

New Internet service. Sore point. My erstwhile ISP UK Online have given up the ghost, and are encouraging well-known bastion of customer service Sky as their natural successor. I was sad to lose UKO - as one of a handful of LLU providers, they're part of a limited number of "real" ISPs, rather than marketing bacon wrapped round the tiny cocktail sausage of BT wholesale. Anyway, I liked UK online. Their customer service guys were helpful and smart. Their prices where a bit rich, but not too bad. Their service was beautifully reliable. I never felt "capped", and I never had a peep out of any of the many and various VPN types I used on the connection. So - sad to see them go.

A lot of people raised an eyebrow at my choice of talk talk. I'm a techie.. and they're very... con sumer, no? Well.. to be honest, it was them or Sky! I already have a relationship with both companies for TV and phone, and my experience of talk talk for phone over the last ~5 years has been good. I know that may put me in a minority, but it has been. I had a mixed bag when I rang to order my new service - UK call centre, answered quickly... but I needed to give far too many details and was treated a bit like a new customer. Overall, a wash on customer service there.

Anyway - that's enough warbling.. what prompted me to post? Oh yeah. In the modem box there's a leaflet. This leaflet gives you a choice - you can use the enclosed CD to configure your new modem.. or get this - you can follow the manual, and here's your username and passowrd. Crack on. This is new to me. As techie-in-residence for family and friends, and as a long-time Smoothwallite I have set up more DSL connections than most BT engineers, and one of my pet hates is the unwavering adherence to "Put the CD in and follow the prompts". This sort of thing naturally gets my back up - a kind of presumption of moronicity, if you will. On top of that, I am a Linux user, and of course user of vaguely unusual firewalls, sometimes "Put in the CD and press buttons" just won't answer the brief.

So - big props to Talk Talk - you didn't treat me like an idiot, and come go-live day, your little modem might well just chill on the shelf whilst I use the information you chaps handily provide to configure my trusty-but-sadly-discontinued linksys am200.

Farewell Peter

2011-02-03T17:37:00.004Z

It is with some sadness that we learn this week of the resignation of Peter Robbins OBE, Chief Executive of the Internet Watch Foundation. On Wednesday Eve Salomon, Chair of the IWF Board, announced that Robbins had tendered his resignation, effective July this year.

Robbins tenure at the IWF began in 2002 and it was with great pleasure that we at Smoothwall worked with he and his colleagues. Having met personally, I can say that he is true gentleman and clearly possesses a great understanding of technical and political nuance of work the IWF are involved in.

Media coverage of Robbin’s resignation reached The Register today and we were pleased to see kind commentary from Jane Fae Ozimek.
An interesting aside is Ozimek’s comment on the quantity of items in the IWF’s URL list. I believe that the supposedly “low” headline figure is a indication of the IWF’s success in their ‘Notice and Takedown’ role of tackling Child Abuse content at source, rather than a suggestion that the IWFs work may soon be complete*. Additionally, it is worth pointing out that unlike most URL lists, IWF’s list has a high degree of entropy, reflecting the rapidly changing hosts of abuse images - further testament of course to the takedown efforts of the IWF and other international Hotlines.

On that note we wish Peter every success in future, as Smoothwall continues to work with the IWF throughout 2011.

* - The IWF’s Annual Report for 2010 is due out later in the year. This yearly publication is an illuminating read and a great reminder of why we continue to support the IWF.

Secure Facebook, ooh er

2011-01-28T16:33:00.002Z

In the same week as Data Privacy Day and the suspected hacking of CEO Mark Zuckerberg's Facebook page, Facebook have added the new option of always-on SSL encryption for users accessing their service.

In a blog post yesterday the social networking giant announced two new security features. “Social authentication” is a new form of user authentication designed to thwart automated attacks, by asking the user to identify photos of their Facebook friends.
Facebook have also added the option of “Secure Browsing” to their Account security settings. When enabled, this causes Facebook to use SSL encrypted connections (HTTPS) rather than plain old HTTP. The changes give protection against various attacks “on the wire”, such as the Firesheep tool seen last year and the more sinister actions of the Tunisian government.

Ostensibly this is good news for us Facebookers, however the situation in the workplace may be less clear. With 4 out of 10 workplaces apparently blocking Facebook, we can assume that a good proportion of the remaining 6 use filtering and monitoring procedures instead. If Facebook access becomes “invisible” through encryption, more of these firms may be forced to bring down the ban hammer on facebook.com.
Or they could try a filter that understands HTTPS, like Guardian? Because it is the 21st century after all.

Google, autocomplete, filtering - where next?

2011-01-27T17:34:00.002Z

Google have begun rollout of the second round of autocomplete filters. If you're not familiar with autocomplete, and the filtering... here's the background: Google introduced auto-complete to their "search" box to make life easy for the terminally lazy - for example, when I start typing "web filter" into google, it handily suggests adding "bypass" on the end. I hadn't thought of that. Thanks! The next development was google "instant" - where search results were displayed for your half-completed terms. Soon, autocomplete got filtering - ostensibly to save the blushes of innocent searchers whose half-completed thoughts turned out to match vaguely pornographic terms. "Hot chi" for example will quickly stop autocompleting.

So that's the autocomplete filter - mostly "adult" content under scrutiny... some drug use type phrases. The next addition though is "copyright infringement searches" - now I don't personally see how not completing "torrent" is going to help reduce piracy - joe warez isn't going to sit at his PC and type "tor" and then think "nah, can't be bothered!" and search for "tortelini" instead. No, I don't rightly see the advantage. It stirred up a veritable hornets' nest of "free speechers" though, many of whom were conspicuous by their absence when the first lot of filtering was applied.

What interests me, from a web content filtering point of view, is the choice of terms. If we're going beyond "things that can cause embarrassment" to "things considered harmful by a. moralist" then where's the gambling terms? To my knowledge there isn't one that's filtered. My guess is that online gambling pays too well in google ads to make it worth filtering! On the other hand, powerful lobbying groups love to see torrent searches marginalised.

This has implications for web filtering types like Smoothwall - we have to help fill the gaps, especially in education - between what google is willing to keep out of searches, and what educators deem suitable for their young charges. Fun.

Internal Threats

2011-01-06T09:27:00.000Z

Don't just secure your network perimeter, consider that the majority
of attacks are committed by someone with existing access to the
internal network. These are often on hubs or rogue access points so
first things first, enable strict mac access control on your access
switches, you don't need to be using expensive switches as the feature
is often available on the most basic of managed switches. It may seem
tedious to get the mac addresses of every device but you've probably
already got them listed, in dhcp for example or even run an automated
script to scrape the arp cache from your dns server every couple of
minutes for a week.
Have a wireless survey every couple of weeks, it doesn't have to be
done by a pro with mapping software (unless you've got the money to
burn), you could even use a smart phone and take a slow stroll around
your premises, personally I'd use the tools on a live Linux
distribution like backtrack3. If you're really keen on wireless
security, look into kismet, it can be set to detect rogue access
points and even attempt to disrupt their use if discovered!
Sounds a simple one but only make live the network points that you
need to. An active network point in an unused room is perfect for an
intruder to get unsupervised access to your network.
Segment your network, either physically or virtually using vlans.
Having a firewall between your core servers and clients might seem a
little over the top but consider the services that are actually used
by your clients, these are very unlikely to change, at the very least
you could monitor traffic on non-standard/interesting ports, i.e. Who
is connecting via RDP to your domain controllers? Or who is accessing
file shares on your SQL server?

How to work around the problem of not receiving a copy of emails in Gmail you send to yourself or to groups which you a member of

2010-12-27T12:59:00.004Z

Gmail has a feature which is both really useful and also really annoying. Gmail is just about the only mail server which follows the RFC for SMTP correctly and will discard duplicate emails based on the SMTP ID. Where this is good is were you are in a couple of groups (or mailing lists), both of which are sent the same email - you only see one copy. Also, when you use conversation view you never end up having two copies of your email.

However it’s really annoying and does not match real people’s expectations or work flow. I’ll give you an example. Let’s say there’s an important announcement you need to email out to one of your groups. So you mail it out and then.... well you’ve no idea if anyone actually received it. Not good.

Another scenario is you CC yourself in an email or send yourself and email to remind yourself to do something - the email may well never appear in your inbox. If you’ve not seen this problem then you are probably using a single domain with a single email address for your account, in which case the problem does not occur.

There are solutions or work-arounds to these problems. Which is why I made my video linked above in the title to explain them.

DEFT Linux - a live CD Linux distribution for computer forensics

2010-12-13T20:19:00.000Z

A nod and thanks to Nik Barron for this one.

The latest version of DEFT Linux, a live CD Linux distribution for computer forensics, has just been released. DEFT is particularly useful for network forensics as it includes the Xplico, an open source tool for analysing and reviewing live network traffic. DEFT also includes the latest versions of a wide range of computer forensic and security tools.

http://www.deftlinux.net/
http://www.xplico.org/

zScan for iOS

2010-12-10T16:50:00.001Z

I like my iPhone, I also like Nmap and until recently the only way to use Nmap whilst on the move was to jailbreak your iPhone (not something I fancied doing, I also like warranties).

Ok, this utility is not as fully featured as Nmap but it gives you the ability to scan the network you're connected to and list open ports, operating systems and *some* vulnerabilities, then email the logs off. Not only that but you can ping, nslookup and whois all from within the app. I've already used it to demonstrate to a customer the necessity of password protecting wireless networks.

For a couple of pounds it's not a bad little app and hopefully there will be more updates shortly.

EhhhHemm!

2010-12-10T14:37:00.000Z

Welcome. We're not trying to change the world - just keep our bit of the garden tidy and free from snakes and things that bite the unwary.

Our contributors are a mixed bunch - their main connection is that they work with or for Smoothwall or in the internet security industry. They've all got interesting view points and attitudes (many of which will not follow Smoothwall company policies) - you may not agree with them but at least they're not boring.